标签:java analysis 用法 classes report output line Findbugs
http://findbugs.sourceforge.net/eclipse/
CLI Tutorial
Download
Get from the latest release the package including the tool.
The content should look like this:
> unzip findsecbugs-cli.zip
> cd findsecbugs-cli
> ls
findsecbugs.bat findsecbugs.sh include.xml lib
Simple example of usage
> findsecbugs.bat -high C:\Java\jenkins\WEB-INF\lib\remoting-2.53.jar
H S CIPINT: The cipher does not provide data integrity At HandshakeCiphers.java:[line 111]
H S CIPINT: The cipher does not provide data integrity At HandshakeCiphers.java:[line 113]
H S CIPINT: The cipher does not provide data integrity At ChannelCiphers.java:[line 89]
H S CIPINT: The cipher does not provide data integrity At ChannelCiphers.java:[line 91]
H S SECOBDES: Object deserialization is used in hudson.remoting.Capability.read(InputStream) At Capability.java:[line 139]
H S SECOBDES: Object deserialization is used in hudson.remoting.Command.readFrom(Channel, ObjectInputStream) At Command.java:[line 92]
H S SECOBDES: Object deserialization is used in hudson.remoting.UserRequest.deserialize(Channel, byte[], ClassLoader) At UserRequest.java:[line 184]
H S SECOBDES: Object deserialization is used in hudson.remoting.RemoteInputStream.readObject(ObjectInputStream) At RemoteInputStream.java:[line 179]
H S SECOBDES: Object deserialization is used in hudson.remoting.ClassLoaderHolder.readObject(ObjectInputStream) At ClassLoaderHolder.java:[line 35]
H S CIPINT: The cipher does not provide data integrity At Launcher.java:[line 289]
H S SECPTI: File(...) reads a file whose location might be specified by user input At CmdLineParser.java:[line 552]
HTML report
The following command will redirect all the result in a HTML report.
> findsecbugs.bat -progress -html -output report.htm C:\Java\jenkins\WEB-INF\lib\remoting-2.53.jar
Scanning archives (1 / 1)
2 analysis passes to perform
Pass 1: Analyzing classes (1010 / 1010) - 100% complete
Pass 2: Analyzing classes (349 / 349) - 100% complete
Done with analysis
Scanning multiple jars
On linux:
> find /some/application/ -name \*.jar > libs.txt
> cat libs.txt | findsecbugs.sh -xargs -progress -html -output report.htm
Scanning archives (156 / 156)
2 analysis passes to perform
Pass 1: Analyzing classes (16922 / 48118) - 35% complete
On Windows:
> dir "C:/Some/Application/" /s /b | findstr \.jar$ > libs.txt
> cat libs.txt | findsecbugs.bat -xargs -progress -html -output report.htm
Scanning archives (156 / 156)
2 analysis passes to perform
Pass 1: Analyzing classes (16922 / 48118) - 35% complete
Additional arguments
To see the available option use the argument -help.
> findsecbugs
No files to be analyzed
Usage: findbugs [general options] -textui [command line options...] [jar/zip/class files, directories...]
General options:
-jvmArgs args Pass args to JVM
-maxHeap size Maximum Java heap size in megabytes (default=768)
-javahome <dir> Specify location of JRE
General FindBugs options:
-project <project> analyze given project
-home <home directory> specify FindBugs home directory
-pluginList <jar1[;jar2...]> specify list of plugin Jar files to load
-effort[:min|less|default|more|max] set analysis effort level
-adjustExperimental lower priority of experimental Bug Patterns
-workHard ensure analysis effort is at least 'default'
-conserveSpace same as -effort:min (for backward compatibility)
-showPlugins show list of available detector plugins
-userPrefs <filename> user preferences file, e.g /path/to/project/.settings/edu.umd.cs.findbugs.core.prefs for Eclipse projects
Output options:
-timestampNow set timestamp of results to be current time
-quiet suppress error messages
-longBugCodes report long bug codes
-progress display progress in terminal window
-release <release name> set the release name of the analyzed application
-experimental report of any confidence level including experimental bug patterns
-low report warnings of any confidence level
-medium report only medium and high confidence warnings [default]
-high report only high confidence warnings
-maxRank <rank> only report issues with a bug rank at least as scary as that provided
-dontCombineWarnings Don't combine warnings that differ only in line number
-sortByClass sort warnings by class
-xml[:withMessages] XML output (optionally with messages)
-xdocs xdoc XML output to use with Apache Maven
-html[:stylesheet] Generate HTML output (default stylesheet is default.xsl)
-emacs Use emacs reporting format
-relaxed Relaxed reporting mode (more false positives!)
-train[:outputDir] Save training data (experimental); output dir defaults to '.'
-useTraining[:inputDir] Use training data (experimental); input dir defaults to '.'
-redoAnalysis <filename> Redo analysis using configureation from previous analysis
-sourceInfo <filename> Specify source info file (line numbers for fields/classes)
-projectName <project name> Descriptive name of project
-reanalyze <filename> redo analysis in provided file
-output <filename> Save output in named file
-nested[:true|false] analyze nested jar/zip archives (default=true)
Output filtering options:
-bugCategories <cat1[,cat2...]> only report bugs in given categories
-onlyAnalyze <classes/packages> only analyze given classes and packages; end with .* to indicate classes in a package, .- to indicate a package prefix
-excludeBugs <baseline bugs> exclude bugs that are also reported in the baseline xml output
-exclude <filter file> exclude bugs matching given filter
-include <filter file> include only bugs matching given filter
-applySuppression Exclude any bugs that match suppression filter loaded from fbp file
Detector (visitor) configuration options:
-visitors <v1[,v2...]> run only named visitors
-omitVisitors <v1[,v2...]> omit named visitors
-chooseVisitors <+v1,-v2,...> selectively enable/disable detectors
-choosePlugins <+p1,-p2,...> selectively enable/disable plugins
-adjustPriority <v1=(raise|lower)[,...]> raise/lower priority of warnings for given visitor(s)
Project configuration options:
-auxclasspath <classpath> set aux classpath for analysis
-auxclasspathFromInput read aux classpath from standard input
-auxclasspathFromFile <filepath> read aux classpaths from a designated file
-sourcepath <source path> set source path for analyzed classes
-exitcode set exit code of process
-noClassOk output empty warning file if no classes are specified
-xargs get list of classfiles/jarfiles from standard input rather than command line
-analyzeFromFile <filepath> get the list of class/jar files from a designated file
-cloud <id> set cloud id
-cloudProperty <key=value> set cloud property
-bugReporters <name,name2,-name3> bug reporter decorators to explicitly enable/disable
-printConfiguration print configuration and exit, without running analysis
-version print version, check for updates and exit, without running analysis
More information
To get more information, visit FindBugs official documentation. http://findbugs.sourceforge.net/manual/running.html
Using Find Security Bugs on a large number of jars: http://blog.h3xstream.com/2016/01/deserialization-vulnerability.html
标签:java,analysis,用法,classes,report,output,line,Findbugs 来源: https://www.cnblogs.com/macter/p/16215268.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。